Tuesday, 2025-04-29

cardoeWe've spoken before about seperate service accounts per service. Do we have a spec around that and achieving that?02:05
fricklercardoe: the best I have is this spec-in-code I guess https://review.opendev.org/c/openstack/devstack/+/923944/4/lib/keystone08:07
opendevreviewIvan Anfimov proposed openstack/openstack-manuals master: install-guide: 2023.2 Bobcat to End of Life  https://review.opendev.org/c/openstack/openstack-manuals/+/94842511:49
opendevreviewIvan Anfimov proposed openstack/openstack-manuals master: install-guide: 2023.2 Bobcat to End of Life  https://review.opendev.org/c/openstack/openstack-manuals/+/94842511:50
opendevreviewIvan Anfimov proposed openstack/openstack-manuals master: OpenStack packages for RHEL and CentOS - Maintained Releases  https://review.opendev.org/c/openstack/openstack-manuals/+/94842611:53
opendevreviewIvan Anfimov proposed openstack/openstack-manuals master: OpenStack packages for RHEL and CentOS - Maintained Releases  https://review.opendev.org/c/openstack/openstack-manuals/+/94842611:57
opendevreviewIvan Anfimov proposed openstack/openstack-manuals master: OpenStack packages for RHEL and CentOS - Maintained Releases  https://review.opendev.org/c/openstack/openstack-manuals/+/94842612:09
opendevreviewIvan Anfimov proposed openstack/openstack-manuals master: OpenStack packages for RHEL and CentOS - Maintained Releases  https://review.opendev.org/c/openstack/openstack-manuals/+/94842612:09
opendevreviewFrancesco Di Nucci proposed openstack/openstack-manuals master: docs: rewrite CentOS guide for Stream 9  https://review.opendev.org/c/openstack/openstack-manuals/+/92812812:43
cardoefrickler: the reason I ask is cause I'm talking to the OpenStack Helm PTL about service accounts and credentials. Today they make an "ironic", "neutron", "nova" service accounts. Then configure ironic to use the "nova" one when talking to nova and the "neutron" when talking to neutron and the "ironic" when doing its own thing. Those "nova" and "neutron" ones are the SAME accounts that the nova and neutron service use.14:17
cardoeI'm trying to explain at the very least what should be done is that each service has its own service account and uses that same service account for all of its operations14:18
cardoeCause this cross dependency matrix isn't good.14:18
cardoeHe's asking me for a spec that promotes this.14:18
cardoeHe's linked me to a few neutron and nova docs where they talk about using each other's credentials for access. e.g. in nova when it talks to neutron that you use the neutron account.14:19
fricklercardoe: well to me this is just common sense on how to reduce the attack surface/blast radius of possible compromises. I also don't know where such a spec would get hosted, maybe in the security guide?14:21
fungiwe did have cross-project specifications, once upon a time, but those were later replaced by the goals framework14:50
fungiso i suppose we still have them, but we call them "goals" instead of "specs" now14:50
fungiwriting a goal about projects using their own accounts and not getting credentials for the accounts belonging to other services sounds worthy of being a stated goal14:51
fungier, i butchered that sentence, but you get my drift14:51
fricklerwell except afaict this is not about what projects themselves require (at least I very much hope so), but only about what deployment projects and install guides (suggest to) implement. can still be a goal, but with pretty restricted scope15:20
fungiyeah, deployment project specific, maybe with related guidance for other deployers in the opnstack security guide15:21
gouthamrtc-members: gentle reminder that we have the weekly IRC meeting here in ~58 mins16:02
mnasiadkacardoe: I’m pretty sure all deployment projects are in the same boat - we do what is required - would be nice to get a list which projects support a service persona and include deployment projects work in RBAC goal tracking16:11
noonedeadpunk++ to that ^16:52
noonedeadpunkwe also add service role along with admin role for a while now. We can drop admin anytime whenever there is a clarity which service can live with only service role16:53
fricklerthe latter sounds orthogonal to the question which service (config) should have credentials for which account(s)16:57
fricklerso maybe some document would be helpful already to just make sure people are all talking about the same thing?16:58
gouthamr~~ lets get into the meeting ~~~17:00
gouthamr#startmeeting tc17:00
opendevmeetMeeting started Tue Apr 29 17:00:32 2025 UTC and is due to finish in 60 minutes.  The chair is gouthamr. Information about MeetBot at http://wiki.debian.org/MeetBot.17:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.17:00
opendevmeetThe meeting name has been set to 'tc'17:00
gouthamrWelcome to the weekly meeting of the OpenStack Technical Committee. A reminder that this meeting is held under the OpenInfra Code of Conduct available at https://openinfra.dev/legal/code-of-conduct.17:00
gouthamrToday's meeting agenda can be found at https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee17:00
gouthamr#topic Roll Call17:00
frickler\o17:01
spotz[m]\o/17:01
gmaano/17:01
gouthamrnoted absence: g t e m a17:01
gouthamrcourtesy ping: bauzas cardoe noonedeadpunk mnasiadka 17:03
bauzashere17:03
mnasiadkao/17:04
gouthamrthank you all for joining, lets get started17:05
gouthamr#topic Last week's AIs17:05
gouthamr1) Skyline build reproducibility 17:05
gouthamrthe progress here has been s l o w17:06
gouthamrfungi and wu_wenixang__ confirmed that the core reviewers were on the ML and we stated that we'd prefer discussing the SBOM issue on the original ML post.. i'll bump it up this week17:07
gouthamr2) Grenade test job update/progress 17:07
gouthamrgmaan: was there anything new that happened this week?17:07
cardoeo/17:08
fricklershouldn't that topic be finished for this cycle?17:08
cardoeGuess I should have come in quietly in the back.17:08
fungiyeah, i'm on a conference call right now but happy to talk about sbom stuff async later17:08
fricklercardoe: just sit down now ;)17:09
* gouthamr hands cardoe the tardy slip :D 17:09
gmaansorry, for late response17:09
gmaannothing news from me on grenade things17:09
spotz[m]Hey I've forgotten until the last 10 minutes so...:)17:09
gmaanbut I think all grenade jobs are setup correctly. I will check heat/ironic/manila one today if anything needed17:09
cardoeSo skyline is a bit similar IMHO to some of the other container bits I've wanted to bring up.17:09
gouthamrgmaan: ack, to recap: we made branch changes on grenade itself, and the test jobs we setup should automatically start testing E-->F, and SLURP jobs needn't run on master, temporarily 17:10
gouthamris that correct? 17:11
gmaangouthamr: yes, SLUPR can be run as voting or non voting but up to projects. by default i added to run as voting and project can opt it out if needed17:11
gouthamr++ thank you.. 17:12
gmaancontinue running SLURP (N-2 -> N) upgrade helps to avoid or at least know what all breaking things coming up for next SLURP17:12
gouthamrack17:12
gouthamr3) VMT resolution 17:13
gouthamr#link https://review.opendev.org/c/openstack/governance/+/944817 17:13
gouthamrlast call for reviews on this one, there was a change posted last week which pushed out the merge timeline for it17:13
gouthamrso if you had a RC +1 prior, please do check the latest patchset.. if you've already done that, thank you :) 17:14
fungiJayF: is the other regularly active vmt member who hasn't +1'd the latest patchset17:14
gouthamrty, next AI is to begin working on the changes suggested.. starting with TC liaisons17:15
gouthamrbauzas indicated that he'd like to be a TC liaison, i can be one too.. in my copious free time :) 17:15
gouthamris there any other TC member that wants to be a liaison instead?17:16
JayF+1 in spirit 😄17:16
spotz[m]hehe17:17
bauzasbear with me ;-)17:17
funginote that it should be sufficient to just document it somewhere (could even be in the liaisons wiki) so that vmt members know who to reach out to if we're having trouble getting anything from the project leaders17:17
gouthamryeah, that's where i was thinking17:18
fungidoesn't need to be super formal, just need to know where we should look17:18
gouthamrokay, ty bauzas++ you're it, i'll update the wiki once the resolution merges.. we can chat about the rest of the changes here or in #openstack-security 17:20
gouthamr4) Move PTG AIs to tracker17:20
noonedeadpunko/ 17:20
gouthamri'm a slacker here, some of them are there.. others, including unassigned ones don't figure here17:21
gouthamrwill move them and bug folks appropriately.. 17:21
gouthamr5) Chat with ianychoi/seongsoo to clarify i18n team’s requests and concerns, chat with rosmaita about the  openstack.weblate.cloud 's context/history17:22
gouthamr^ this is ongoing in private, unfortunately, because some payments etc are being discussed17:22
gouthamrbut i can give you a summary: we identified the limits in the hosted weblate, and are exploring what options exist17:23
gouthamrdo we pay more as we complete the migration, if yes, how much? (we = openinfra foundation) 17:24
gouthamrwho do we work with to get any unadvertised offers to reduce said payment17:24
gouthamrin parallel, i18n SIG members are looking to reduce "source strings" that count towards this limit - on how/why, we'll need to pick their brains on the subject17:26
noonedeadpunkthat would be really nice to figure out sooner then later17:26
noonedeadpunkas we are already doing transition for a while and it feels that we're running out of time overall17:26
spotz[m]Speaking of translation, docs has an issue to add tags in. I've been holding off on it as I know there have been concerns with the team not being able to keep up. And I don't mean that in a bad way but can't think of better wording for more tags then translations17:27
gouthamrtrue, i can press on this need.. from what i know, the SIG lacks members, so if you are willing to help, or know anyone that is, it might help spread the load!17:27
noonedeadpunk(not saying that some things would be nice to add for translation, but we don;t to reduce amount of things to migrate)17:27
gouthamrspotz[m]: oh, what tags?17:27
spotz[m]Let me look I was trying to keep those as unread17:28
gouthamrty17:28
gouthamralright, that's all the AIs i was tracking17:29
gouthamrdoes anyone else have any?17:29
spotz[m]This might be it https://review.opendev.org/c/openstack/openstack-manuals/+/947059?usp=email17:29
spotz[m]No I thought it was .po files this is .py17:30
spotz[m]Still looking17:30
gouthamrokay.. 17:30
gouthamr#topic Affiliation changes17:30
gouthamrgmaan: i'll put you on the spot for an announcement17:30
gmaanyeah17:31
gmaanI would like to share about my affiliation change. I joined Redhat yeaterday.17:31
spotz[m]Maybe I imagined it:)17:31
fricklerspotz[m]: were you referring to https://review.opendev.org/c/openstack/openstack-manuals/+/947180 vs. https://review.opendev.org/c/openstack/openstack-manuals/+/947256 ?17:32
fricklergmaan: congrats17:32
gmaanas we have org diversity requirement, I would like gouthamr to check those and let me know next step if any change needed for my term17:32
spotz[m]frickler: you rock, yes!17:33
gouthamrgmaan: congratulations and welcome to Red Hat, you broke the internet with the nick and email changes at the same time :D 17:33
gmaanfrickler: thanks17:33
fungii want to say as of the last tc election there could have been one more rh employee without exceeding 50%, but good to double-check that17:33
gouthamrfortunately, no.. we are still in compliance with the TC's diversity requirement17:33
gmaanyeah, as I changed my email id so though of changing the irc nick etc. but sorry for breaking the scripts. I thought changing primary email in gerrit will work fine17:34
spotz[m]Welcome gmaan17:34
gmaanspotz[m]: thanks17:34
gmaanhope all fixed now.17:34
gmaanoh no, this still not merged17:34
gmaan#link https://review.opendev.org/c/openstack/governance/+/94835417:34
gmaanafter this release tooling will be fine17:35
gouthamrbauzas, spotz[m], gmaan and myself are affiliated with Red Hat; and that's 44.4% of the TC17:35
fricklergmaan: you still need to switch to a new .com domain ;)17:36
gouthamror maybe .ai17:36
spotz[m]I thought .ai was going away?17:36
gmaanfrickler: I just subscribed to old one 1 week before so I will continue that for a year and see if I can get new one :)17:37
gouthamr:P jokes aside17:37
gmaando not want to waste my $40 :P 17:37
gouthamra gentle reminder to everyone to please keep their affiliation data on OIF Foundation profiles up to date17:38
gouthamryou'd probably also update x/stackalytics if you care to..17:39
gouthamrthat's all there was to $topic17:39
fungiaffiliation changes in the openinfra foundation profiles should get picked up automatically by openstack.biterg.io (though it's down at the moment due to an intersection of scheduled maintenance and mass power outages in spain)17:40
gouthamr#topic Activity of SIG groups17:40
gouthamrack fungi 17:40
gouthamrnoonedeadpunk: you added this topic, and seeded a couple of questions to the meeting:17:40
gouthamr1) How do we track if SIG is active or not17:41
gouthamr2) How we can enable interested people to get into SIG to continue maintenance if SIG is inactive17:41
gouthamrwas this motivated by any examples?17:41
gouthamr#link https://governance.openstack.org/sigs/ 17:41
noonedeadpunkah, yes, I did last week17:41
frickleriiuc the ansible sig?17:41
noonedeadpunkSo eventually the folk came to osa channel seeking for help with ansible-collections-openstack sig17:42
noonedeadpunkyes17:42
gouthamrah, you were trying to reach sshnaidm17:42
noonedeadpunkwell, not specifically17:42
noonedeadpunkso the thing is that there quite some contributions coming to the repo17:42
noonedeadpunkbut really no review activity17:42
fungii've gotten recent questions about whether the scientific sig is still active too17:42
noonedeadpunkwith that - there's no really established proicess of adding new members to the sig17:43
gouthamrvery much, i think :) were you able to direct the enquiries, fungi?17:43
gouthamrnoonedeadpunk: yes17:43
fungii pointed folks to the list of chairs for the sig, but i think they're all (or almost all) gone from the community now17:43
noonedeadpunkso even if there're interested parties to step in with maintenance - they don't have much chance17:43
fungiyeah, that's the problem with sigs going inactive is the chairs are the only points of contact in many cases, and once they're gone it's unclear how newcomers can get involvd17:44
gouthamrfungi: i pleasantly discovered that the scientific SIG was celebrating its 10th anniversary and is quite active, except they're not like an openstack project team and don't talk a ton on OFTC17:44
noonedeadpunkyeah, right17:44
gouthamrfungi: here's their Slack: https://join.slack.com/t/os-scientific-sig/shared_invite/zt-34akzhxia-J4DDSoGY0wLnh9aoNxqqlA 17:44
fungioh cool, thanks!17:45
bauzasya the main issue is that they don't use IRC17:45
fungii'll pass that along17:45
bauzasagain a slack issue17:45
opendevreviewMerged openstack/governance master: Updating Ghanshyam email/irc name  https://review.opendev.org/c/openstack/governance/+/94835417:45
fungithere was also discussion about whether we can get the scientific sig and large-scale sig connected to one another, since there seems to be some overlap in interests for the hpc space in particular17:45
* gouthamr imagines that headshake 17:45
fungi(hpc now being considered synonymous with ai)17:46
noonedeadpunkbut I wonder if ansible sig is a little bit more unique in terms of having a deliverable17:46
fungithe tact sig has a lot of git repos, the security sig has some too17:47
noonedeadpunkok, yes, right17:47
spotz[m]They were one of the groups Julia refered to from conversations at OpenInfra Days NA17:47
gmaanin past, we used to check SIG meeting happening or not but that should not be the criteria to consider them as inactive17:47
fungithe packaging sig did" i don't know whether they still do though17:47
gouthamrfungi: sometimes, foundation staff - like yourself/ttx/helena/aprice/diablo_rojo/jimmymcarthur seem to know how to find people.. but, its an unsustainable way to connect with people, i agree17:47
noonedeadpunkI think the main pain point - if how to get new members onboarded if chair is not active more or less17:48
gouthamrnoonedeadpunk: we have a list: https://governance.openstack.org/tc/reference/sig-repos.html17:48
gmaanI see 'k8s' 'Hardware Vendor' 'First contact' 'cloud research' 'automation' and maybe few more have no activities?17:48
fungiyeah, people were asking other foundation staff members about the scientific sig, and they asked me17:48
noonedeadpunkhttps://opendev.org/openstack/ansible-plugin-container-connection this looks completely abandoned17:49
noonedeadpunkbut also it looks like osa related under ansible sig....17:49
spotz[m]I'll also say we're about to announce RDO Epoxy, but we desperately need packagers if there is going to be a Flamingo17:49
spotz[m]Or I should say RPMs17:50
gmaanI think we should initiate the separate email about each SIG which we do not find activity or no response from listed chairs. 17:50
mnasiadkaWell, Scientific SIG is alive - if there’s any need for relaying information - I can help. But I agree we should have some process in place for having a responsive chair or current contact details.17:50
gmaanthat at least can refresh the chair list if SIG still needed or to more moved to 'advisory' or 'completed' status17:51
fungispotz[m]: i thought rdo had said they were moving to just slurp releases?17:51
spotz[m]The 2 engineers who were packaging moved to new roles:( We've talked about it in meetings but no one but us went to them17:52
gouthamrso teh questions remain, i think it'd be useful if there was a proposal17:52
noonedeadpunkI can recall Neil saying smth about help, but not sure17:52
spotz[m]He came to one meeting17:53
gouthamrnoonedeadpunk: have you had any thoughts around changing the situation and answering the two questions you posed?17:53
noonedeadpunkno, not really. Pretty much the reason I raised as I had lack of good ideas17:53
noonedeadpunkAnd I'd say I was trying to think about these for some time now17:53
mnasiadkaKolla basically uses only a couple of packages from RDO build deps - I can check which ones… if RDO is going to disappear…17:54
noonedeadpunkosa uses a whole distro path based on rdo fwiw17:54
gouthamrokay, that looks like a tangent that we shouldn't go into.. 17:54
gouthamri mean, please discuss RDO challenges as a separate topic for next week if you'd like17:55
noonedeadpunk++17:55
fungithough osa and kolla also support other distros, if sticking with a particular deployment tool is more important to users than sticking with a particular distro17:55
spotz[m]We can talk afte17:55
noonedeadpunkso I guess I wanted to raise that and gather opinions on possible solutions17:55
noonedeadpunkI can do a writing part and combine thoughts together17:55
gouthamrwe could try to update stale info, to begin with17:55
noonedeadpunkbut I struggle to find solution on myself, so was hoping on some collaborative effort :)17:56
gouthamrand probably add links if they're missing on "how do i join this SIG"17:56
gouthamrits a big problem that we can chip away in small pieces17:56
spotz[m]Could do quarterly updates, or updates when we have elections?17:57
noonedeadpunkwhat is more tricky, is that not each sig are equal somehow17:57
noonedeadpunkas one do have deliverables, while others do not17:58
gouthamrspotz[m]: yes, and probably an initial push now to fix stale info.. if it helps, we can have folks join TC meetings with short updates: "Meet SIG X, and know their updates"17:58
gmaanyeah but having active and up to dated list of chairs is helpful 17:58
noonedeadpunkindeed17:58
bauzasagreed17:58
noonedeadpunkbut how chairs are assigned?17:58
gouthamr++ lets work on that part first; ty for bringing this concern, noonedeadpunk 17:58
noonedeadpunkas they are not taking part in elections?17:58
noonedeadpunkso maybe we need to add SIG chair to elections?17:59
gmaanwho ever volunteer is added in that list17:59
noonedeadpunkwhich would highlight a) activity b) if it's relevant?17:59
gouthamrno, https://governance.openstack.org/tc/reference/comparison-of-official-group-structures.html17:59
fungiat least in the sigs i'm involved in, anyone who wants to volunteer to be a chair can. i'm the sole chair of two sigs right now and have repeatedly stated for years that i's appreciate volunteers to help or relieve me entirely17:59
gmaanit is more of up to SIG members to agree on the chair17:59
spotz[m]No but we ask the SiGs and WG for ATC suggestions, admitedly we've been bad on that for years17:59
spotz[m]We used to send thm to TOm if that answers how bad we've been:)18:00
gmaanlike we do for DPL, having a reset and checks for up to dated list is no harm18:00
gouthamri wouldn't put the process of elections on short/long term groups like this18:00
gmaanyeah. election are not needed as such18:00
noonedeadpunk`which are not directly responsible for producing components of the “OpenStack” software release` -> does ansible SIG really goes under this criteria specifically?18:00
gouthamr"SIGs can own git repositories and produce software, but that software will be considered add-on software to the main “OpenStack” software releases. "18:01
gmaanand 'reset' can be just check them via email, irc etc18:01
bauzastime check, I need to leave18:01
gouthamryes18:01
gouthamrwe're a bit over, apologies18:01
gouthamrlet's end this meeting here18:01
fungiare the repositories that the ansible sig manages official deliverables of openstack? shouldn't be possible governance wise18:01
noonedeadpunkyeah, right, sorry :)18:01
gouthamrsorry, but some topics will be pushed to next week18:02
gouthamrwhich is a Video+IRC meeting18:02
gouthamri'll share details as usual18:02
gouthamranything else to add to the minutes today?18:02
noonedeadpunkfungi: it's where things get nasty18:02
noonedeadpunkI'll add after the end:)18:02
gouthamrthanks everyone18:03
gouthamr#endmeeting18:03
opendevmeetMeeting ended Tue Apr 29 18:03:24 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)18:03
opendevmeetMinutes:        https://meetings.opendev.org/meetings/tc/2025/tc.2025-04-29-17.00.html18:03
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/tc/2025/tc.2025-04-29-17.00.txt18:03
opendevmeetLog:            https://meetings.opendev.org/meetings/tc/2025/tc.2025-04-29-17.00.log.html18:03
gouthamrnoonedeadpunk: continue please :) 18:03
fungii won't be around for next week's meeting (work travel), but can try to catch up in irc if there are questions for me18:03
noonedeadpunkfungi: so it was made as a sig to avod licensing issues 18:03
gouthamrfungi: ack 18:03
fungihttps://opendev.org/openstack/governance/src/branch/master/reference/sigs-repos.yaml#L3-L5 lists two repos18:04
noonedeadpunkas there were concerns that importing GPL3 code into modules, which is required to produce ansible module, requires to be licensed with GPL as well18:04
fungiin theory those are openstack community managed resources, not official openstack deliverables18:04
noonedeadpunkso it was made aside just to not cause any troubles with that18:04
noonedeadpunkopenstack/ansible-plugin-container-connection - we should drop this one, imo18:04
noonedeadpunkI have very little idea how it happened to be there...18:05
clarkband the other is part of ansible + openstack integration which isn't part of the opensdtack release as far as i Know18:05
noonedeadpunkit's not part of the release18:05
noonedeadpunkbut it's very related to the versions of sdk 18:06
fungiyeah, it's client tooling essentially, for people who want to manage openstack resources with ansible playbooks18:06
noonedeadpunkand very dependant on them18:06
noonedeadpunkbut so is CLI and SDK?18:06
clarkbsure but thats no different than opesntack being dependent on python18:06
clarkbyou can depend on things and not be part of their release18:06
noonedeadpunkas openstack are APIs and CLI is a convenience18:06
fungicli and sdk are openstack deliverables maintained by an official project team18:07
noonedeadpunkI know. and that is pretty much the point, that in their core - they are kinda alike18:07
fungianyone can write software that talks to openstack and host it wherever they like. in this case it's done in the context of an openstack sig, but it could just as well be some random maintainer(s) on github18:07
funginot all software that interacts with openstack needs to be officially governed by an openstack project team and participate in the coordinated release18:08
noonedeadpunkum, but should not be this a protected trademark? https://galaxy.ansible.com/ui/namespaces/openstack/18:08
noonedeadpunkas it's owned by ex sig chair18:09
noonedeadpunkafaik18:09
clarkbI'm not an IP lawyer but my understanding is you can use non stylized names to accurately refer to things18:09
fungihttps://www.openstack.org/brand/18:09
fungithe "Community Organizers & Non-Commercial Use" section is probably relevant18:09
clarkbif you provide tooling to communicate to or integrate with openstack using the term openstack is probably fine in that content. But you can't use the logo or stylized version of the name. But also ^ there are guidelines and I'm not a lawyer18:10
noonedeadpunkok, so basically your solution for non-active sig or absent reviews is to fork the repo?18:10
fungithe tc (formerly the meta-sig which was comprised of tc+uc members before the uc was folded into the tc) governs all sigs, and can reassign access to any of those resources18:11
noonedeadpunkyes, right, so pretty much I wanted to see if it's possible to establish some process which seems to be missing now18:11
gouthamryeah, my preference would be to re-staff the said SIG if there's interest18:12
fungiif someone wanted to take over maintenance of the openstack/ansible-collections-openstack repo and the tc decided that it was basically abandoned or mismanaged, then they could choose to amend or replace the list of maintainers with new volunteers18:12
spotz[m]Staff the meta-sig?18:12
fungistaff the ansible sig, i think18:12
spotz[m]Ahh18:12
noonedeadpunkto asses and be able to have some sort of criteria when a flag needs to be raised18:13
fungisounds like a great idea to me18:13
noonedeadpunkBut also, IMO TF, CLI, SDK, Ansible modules are having huge value for OpenStack18:13
noonedeadpunkAs that tends to be a good selling point, on the contrary to developing in-house or forked solution18:14
fungiwhat is tf?18:14
noonedeadpunkthat you will loose all that amazing compatability and community tools18:14
noonedeadpunkopenbao :)18:14
noonedeadpunkbrrrr18:14
gouthamrah famously abbreviated as "TF" :D18:15
noonedeadpunkopentofu18:15
noonedeadpunkyes, it is :D18:15
clarkbsure, but there are two common issues there: 1) is people who want to write plugins for that are often more aligned to those tools than to the thing they are writing a plugin for and 2) licensing18:15
clarkbI don't think we should demand it either way and do what works best for the particular ecosystem18:15
fungiopenbao seems to be a fork of hashicorp vault18:15
clarkbfungi: teraform is tf which got forked to opentofu18:15
noonedeadpunkfungi: yeah, sorry, I was just dealing with it so mixed things up, meant opentofu18:16
fungiaha, opentofu==terraform18:16
fungiokay, so you're saying some community management of a blessed set of terraform/opentofu modules would be helpful to have?18:17
noonedeadpunkif I'm not mistaken, gtema was involved in that at some point18:17
fungiand yeah, it seems like in general we've seen that people who want to do e.g. terraform support for openstack would rather manage those resources in the communities and infrastructure that the terraform community uses rather than within the openstack community governance and development infrastructure18:18
noonedeadpunkI guess what I meant that it's in project best interest to do everything possible for such toolings to succeed18:18
fungihelping them succeed doesn't necessarily mean taking control of and governing them18:19
noonedeadpunkWell, Ansible comminity goes in different direction and tries to push responsibility for modules and plugins to projects which they are for18:19
noonedeadpunkand that what happened in ansible 2.10? when this sig was established, when openstack modules were dropped from core...18:20
noonedeadpunkanyway18:20
clarkbright I think its ok for ansible dev to happen within openstack if that is what people prefer and tf/opentofu def to happen with tf/opentofu if that is what they prefer18:21
fungii thought there was an ansible community that hosted non-core resources collectively18:21
clarkbits about meeting the tools and communities where they want to be and not about openstack having one method for everything18:21
clarkbthen additionally there may be licensing concerns18:22
noonedeadpunkfungi: so pretty much ansible.community is bunch of stuff that was dropped from the core and not claimed by anyone. And it's barely maintained at the moment from what I've heard18:22
fungiyeah, sigs seem fine for that. the people maintaining those resources can do it in a way that's affiliated with openstack and hosted in the same development systems but not governed by the rigor or limits of official project teams18:22
clarkbliek I personally don't think openstack should be on the hook for integration with proprietary tooling. That is typically pushed onto the proprietary system devs (and is something that I think has largely worked over time)18:22
fungiit sounds like the problem in this specific case is that the people who had previously been interested in managing that repository disappeared and didn't leave any succession plan to hand off maintenance to someone else18:24
noonedeadpunkok, sorry, I somehow struggle to understand where this discussion is going to. As eventually a person came in and flagged that they have no point of contact and don't know what to do to get their bug fix reviewed18:24
noonedeadpunkfungi: exactly18:24
noonedeadpunkbut my guess is that situation is not unique overall18:25
fungithe openstack tc is the point of contact of last resort, and has the authority to take or delegate control to whoever they like18:25
clarkboh I thought you were saying someone started maintaining a fork (hence the trademark question)18:25
noonedeadpunkno, not really18:25
clarkband I was trying to say I think that is ok if htat is what makes sense for that community18:25
noonedeadpunkit's more that this namespace is under sig, but access to used to be personalized by ex sig  chair that is not active anymore18:26
noonedeadpunkbut yes, again, tc probably has authority, but we have no clue how and more imporantly when to excersice it18:28
noonedeadpunkwhich is where I was coming from :)18:28
fungimakes sense, and it's up to the tc members collectively to decide the how and when18:29
noonedeadpunkright18:29
noonedeadpunkbut all my ideas were too rtestricitve to be applied to sigs18:29
JayFgmaan: congratulations on the new role18:30
gmaanJayF: thanks18:31
funginoonedeadpunk: could be something as basic as proposing a governance-sigs change to update the chairs to new volunteers and asking the tc to vote on that review18:31
gouthamryeah18:32
mnasiadkaWell, that’s the fastest path to get it tidied up.18:33
fungione of the hallmarks of the sig model was that it was intended to be simple and low-maintenance with as little bureaucracy as possible18:33
gouthamra good first step; and then follow that up with the improvment you wanted: how does one join 18:33
fungionce the chairs are updated, i'm happy to use gerrit admin perms to add the new chairs to the corresponding groups for access18:34
gouthamrmy thought is akin to the community goal we all did at one point to create a "So you want to contribute" page.. we could drive all SIGs to have a one pager _somewhere_ which lists info on how to join/help 18:35
clarkbat a higher level I think we (openstack) should maybe be more explicit that the broader community intends on maintaining software as long as their is interest and inactive maintainers may be supplemented by new interest parties18:35
gouthamrwe are 18:35
clarkbya I think this has been the case through action but it may not be apparent to say newer groups like skyline that if tehy stop maintaining things in six months that if someone shows up 3 months after that they are tag you're it now18:36
gouthamrah, are you thinking spell it out in the TC charter?18:36
gouthamror the project team guide?18:37
clarkbprobably more the project team guide18:37
clarkbfundamentally we're all stewards of community assets for lack of a better term. And intend on perpetuating that situation (I'm speaking for my self here but I Think the community has acted in this way over time too)18:38
gouthamragreed18:38
gouthamrin https://docs.openstack.org/project-team-guide/repository.html perhaps?18:39
clarkbhttps://docs.openstack.org/project-team-guide/open-development.html or here? basically call out that there are ptls and core reviewers but they are stewards? I dunno it may also be overkill18:41
clarkbI think in most situation this has come up people are grateful someone else is stepping in and happy for it18:41
mnasiadkaOne thing is a mention how you can step up or calm out that a project/repo lacks maintainers - second thing SIG is not really a project team (so maybe doesn’t fit in project teams guide)18:44
mnasiadkaErr, *call out18:44
mnasiadkaComing back to Ansible SIG - for me it’s sort of an important deliverable (like openstacksdk) but for people using Ansible - having that namespace not under OpenStack control reminds me of that pypi projects ownership problem18:46
JayFIt's also worth noting we do have some openstack applications -- like bifrost -- which use ansible18:47
JayFhttps://opendev.org/openstack/bifrost/src/branch/master/ansible-collections-requirements.yml18:48
mnasiadkaKolla-Ansible also uses this collection, OSA probably as well18:53
fungimnasiadka: it's in the openstack/ git namespace on opendev, so under openstack (tc) control18:53
fungiit's attributed to a sig rather than being an official deliverable, and the story behind that choice seems to mainly be an attempt to satisfy https://governance.openstack.org/tc/reference/licensing.html18:55
clarkbfungi: I think they are referring to the namespace on ansible galaxy (but yes confusing)18:56
fungioh, got it18:56
mnasiadkaAh right, Ansible and GPL3 requirements - https://docs.ansible.com/ansible/latest/community/collection_contributors/collection_requirements.html#collection-licensing-requirements18:59
fungian alternative would be to amend the tc licensing guidelines to include an exception for client integration tooling or some such19:01
fungithough i think that would involve a chat with the board and/or foundation legal to confirm (it did in the past anyway)19:02
fungifor example, back when there was still an infrastructure team and zuul added its ansible launcher, it needed to start shipping some (non-linked, so not an apache license conflict) gpl3 modules. that's when the "Projects run as part of the OpenStack Infrastructure" exception was approved19:07
fungispotz[m]: https://review.opendev.org/c/openstack/project-config/+/948033 is probably relevant to the earlier rdo discussion too19:36
noonedeadpunkI'm actually not 100% about original assesment of GPL320:12
noonedeadpunkAs importing of GPL3 code likely does not lead consequence of licensing your code as GPL320:12
noonedeadpunkIe ansible-lint, molecule and some other tooling in the ecosystem are distributed with MIT20:12
noonedeadpunkBut it really needs lawyer view20:13
noonedeadpunkMaybe our new LF friends can help us out clarifying this thing...20:13
noonedeadpunkAlso each time I poked Ansible community managers or product managers from RH - they were not sure in that either20:17
opendevreviewGoutham Pacha Ravi proposed openstack/project-team-guide master: Add notes on reviving projects/deliverables  https://review.opendev.org/c/openstack/project-team-guide/+/94848420:18
noonedeadpunkAs I think important difference, is that we do not re-distribute the original code, we import it from it's origin. But again - not a lawyer20:18
clarkbnoonedeadpunk: MIT is not viral. GPL is20:36
clarkbit depends entirely on the license and in many cases interpretation as there are all sorts of exceptions20:37
clarkbfor example mysql has an exception20:37
fungiwell, also mit/expat and gpl3 are compatible licenses anyway. linking exceptions are generally used to remove certain privisions of a license under specific uses, for example to address license incompatibilities20:44
fungithe current mysql example is at https://oss.oracle.com/licenses/universal-foss-exception/20:46
gtemafor those still reading on the ansible-collections-openstack: I would be strongly against TC simply setting other people as cores. Historically there were no people staying with Ansible for the long term (except very few cases). Every time someone new appears and claims to have interest that interest disappears after the change (or 2) has been merged. There are way to many corner cases in the Ansible world which those pass-by people have no21:00
gtemaidea of. This is not the way to handle the situation21:00
fungiso instead the tc should declare it abandoned and retire it?21:01
JayFgtema: you basically want to treat it like we would a project team instead of a sig, which is super reasonable given we use the libraries in the same way we would a project21:02
fungisounds like you're suggesting that it's untenable and we should give up any hope of hosting it in the openstack community21:02
JayFit sounds like if this were held to a project team standard, it'd be "inactice"? 21:02
JayF**inactive21:02
gtemait is not abandoned. When I am pinged I am trying to spend time there. It just that I have no free time (nor direct interest anymore) to keep it on the radar permanenty. 21:03
gtemaHonestly I also have an idea of redoing modules following the openapi work - generating all the modules automatically21:03
fungioh, then you are a (and perhaps the only) maintainer, so it's at least somewhat maintained21:03
funginoonedeadpunk made it sound like nobody with access to it was involved any more21:04
gtemayes, it is indeed somewhat maintained21:04
gtemathat is not very corect21:04
gtemacardoe recently started pushing changes which I was reviewing so if he would be having more interest in spending some more time - welcome21:05
cardoeI think it'd be great if all the modules were auto generated.21:05
fungimaybe you'd be okay being the chair for the ansible sig, more so if it became just the ansible collections sig?21:05
cardoeI'm trying to fix up some keystone usage but it's honestly just a short term fix for me as we move to a Kubernetes operator.21:05
gtemasure, it is just that my other point was perhaps to investigate using Rust in ansible modules, since Ansible is just terribly slow21:06
gtemaotherwise the problem with the auto-generation is that you can only generate it when your underlaying SDK is also completely auto-generated. Otherwise you do not have 100% standardized interface21:07
fungiansible modules can just be thin python wrappers around compiled binaries in any language can't they?21:07
gtemathe alternative was to get rid of openstacksdk (except of maybe config reading) and just generate it purely to use API directly21:07
gtemafungi - technically yes.21:08
cardoewell openstacksdk is a bit inconsistent as well some stuff uses the service proxies and some doesn't21:08
gtemabut you need to have a way of ensuring the binary is installed on the target21:08
gtemaI had a plan to more or less exactly wrap usage of rust cli by ansible - just never got time to work also on that - too many open things21:08
gtemacardoe - that is exactly where I stopped playing with the idea of generating ansible modules relying on openstacksdk21:09
JayFWhat do you mean 'service proxies' in this context?21:13
gtemafor every service there is a dedicated proxy in sdk and those are not 100% following same rules (mostly because openstack services are not following same rules) - as such you have a bit mixed interface between services that is not consistent21:15
gtemamicroversion handling is another beast in the Ansible module context21:16
JayFAh, okay. Implementation detail thing :) 21:18
* JayF was afraid Ironic was missing a thing21:18
gtemabit more than that. cli is more or less just exiting informing the user that what he requests is not possible with the MV supported by the cloud potentially leaving ways to influence which MV to use. In Ansible (since this is a strongly non-interactive invocation) there is no way for that21:19
gtemamicroversions are evil, they should have never existed21:20
JayFI disagree, but I'm a grumpy operator who appreciates we don't break old stuff and not an API designer or SDK developer :)21:21
gtemayou break, you just do not know about that. When parameter type is changed with MV it is not acceptable, but this is the reality21:21
JayFI would be surprised if we have anything (at least recently) in Ironic that's inconsistent in the same version. We have tried /really hard/ to enforce it even for mild changes21:22
gtemaI was never good at ironic microversions, I am mostly talking about nova MVs21:23
* JayF waits for the laundry list of sins to come out ;) 21:23
gouthamrmicroversions is under the statute of limitations21:24
gtemafor sdk/cli maintainer those are insane and only make life more complex than it should be21:25
JayFgouthamr: the only way to fix API sins is to commit more API sins ;) 21:26
gouthamrconsistency!21:26
opendevreviewGoutham Pacha Ravi proposed openstack/project-team-guide master: Add notes on reviving projects/deliverables  https://review.opendev.org/c/openstack/project-team-guide/+/94848422:07
spotz[m]<fungi> "spotz: https://review.opendev...." <- Yeah on that already22:26
opendevreviewIan Y. Choi proposed openstack/election master: Add configuration for 2026.1/"G" elections  https://review.opendev.org/c/openstack/election/+/94849422:27

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!